Forget Fingerprints, Your Face Is A Security Key

No system is unhackable. But to hear Hector Hoyos describe his company’s latest security offering, it’s hard to imagine cyber-intruders easily breaking through the barriers he’s created. He’s unveiling it to the world in Las Vegas at this year’s CES convention.

Called HoyosID, the new product from New York-based Hoyos Labs is built around a free mobile app that uses biometrics to determine a user’s identity. In other words, by letting your smartphone’s camera measure the topography of your face, the micro-movements of facial muscles, pupil dilation, heat and light; your device can confirm your identity and act as a key to any number of security points in your life: phone, desktop, office, personal accounts, credit card transactions, etc.

“We are here to kill passwords,” Hoyos says.

For an organization like a bank, a retailer or a public or private company to use the system, it must lease servers from Hoyos that issue a different SSL security key every time a user wants to verify his or her identity. That key exists for the few seconds it takes to validate an identity and then is scrubbed. User data is never kept on servers. “Now (hackers) are forced to hack one user at a time,” Hoyos explained.

Could a hacker access a user’s biometric data and use it to fool the system? It would be tough because that data is stored only on the mobile device, heavily encrypted and accessible only by providing the biometric data the hacker is trying to steal in the first place.

When Hoyos demonstrated the product to me, I began calculating how one might fool the system. Could you pass off a photo of yourself and gain access? We tried and it didn’t work because a 2D picture has no topography (Google’s Face Unlock app could be accessed through a pic from another smartphone, as Hoyos demonstrated). Could you create an accurate model of a user’s face? Pupil dilation and micro-movements would be missing. “But what about identical twins?” I asked. Twins have different irises, he said.

When Apple released the latest iteration of iPhone the device came with a fingerprint reader. That security gate was hacked by German hacker group, Chaos Community Club, in about two days. Security testers — both professionals and, err, hobbyists — will likely try to crack the Hoyos ID platform when it emerges. We’ll have to wait and see how they do.

Hoyos Labs intends to monetize the system when it becomes available this quarter by offering business-to-business and business-to-consumer models. The servers will be leased to organizations that want to use the system for 25 cents per user—a cost that increases with volume and with additional services like tracking, user flagging and more active monitoring of access activity.

Leveraging the ubiquity of smartphones is Hoyos Labs’ way of simplifying the security process. About 60% of people lose their passwords and pass code tokens can be broken. “One hindrance to the widespread adoption of biometrics to date is that people are hesitant to carry around another token to confirm their identities – it’s just one more thing to lose,” said Hoyos.

Hoyos isn’t new to the game: the multiple patent holder invented HBOX and EyeSwipe biometrics identity authentication technologies and founded Global Rainmakers, Inc. (later renamed EyeLock Corp.). He wouldn’t name the dozen or so companies and organizations currently implementing his ID system, but did say that they were Fortune 100 listers in the financial services, banking, media, insurance and health sectors. So far Hoyos Labs is running on about $10 million in funding from friends and family. Let’s see if he can drum up some more interest from investors and customers at CES.

The Author

ForbesForbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.